Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 21:27
Static task
static1
Behavioral task
behavioral1
Sample
3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
-
Size
593KB
-
MD5
3673d5090b77a0b033da84545fda2f0f
-
SHA1
010d2e93a19af30eb6f17052abd855933edc4873
-
SHA256
a6e63d38a8ebe09d0c09b45d7245137f1cdd0e7e9e978997814ea9bd6c33ee33
-
SHA512
05f91a2f9dc112b80bdca6db4ccc907041ad267812d9aa514d513c2d9673b9b4aed48699bf019d2dc95e7101bb9601334d6e17d4f77f7ba2fb85303f3c7349de
-
SSDEEP
12288:a39mSPuqDWEB1l9gvW01XM/f85jsz1+ruUA+lpOxuGzVg7I:ymS2savWoXEqsB+S+lUkGO7I
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2132 setup.exe -
Loads dropped DLL 2 IoCs
pid Process 1928 MsiExec.exe 1928 MsiExec.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 9 1572 msiexec.exe 12 1572 msiexec.exe 15 1572 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3540 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 3540 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1572 msiexec.exe Token: SeIncreaseQuotaPrivilege 1572 msiexec.exe Token: SeSecurityPrivilege 2452 msiexec.exe Token: SeCreateTokenPrivilege 1572 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1572 msiexec.exe Token: SeLockMemoryPrivilege 1572 msiexec.exe Token: SeIncreaseQuotaPrivilege 1572 msiexec.exe Token: SeMachineAccountPrivilege 1572 msiexec.exe Token: SeTcbPrivilege 1572 msiexec.exe Token: SeSecurityPrivilege 1572 msiexec.exe Token: SeTakeOwnershipPrivilege 1572 msiexec.exe Token: SeLoadDriverPrivilege 1572 msiexec.exe Token: SeSystemProfilePrivilege 1572 msiexec.exe Token: SeSystemtimePrivilege 1572 msiexec.exe Token: SeProfSingleProcessPrivilege 1572 msiexec.exe Token: SeIncBasePriorityPrivilege 1572 msiexec.exe Token: SeCreatePagefilePrivilege 1572 msiexec.exe Token: SeCreatePermanentPrivilege 1572 msiexec.exe Token: SeBackupPrivilege 1572 msiexec.exe Token: SeRestorePrivilege 1572 msiexec.exe Token: SeShutdownPrivilege 1572 msiexec.exe Token: SeDebugPrivilege 1572 msiexec.exe Token: SeAuditPrivilege 1572 msiexec.exe Token: SeSystemEnvironmentPrivilege 1572 msiexec.exe Token: SeChangeNotifyPrivilege 1572 msiexec.exe Token: SeRemoteShutdownPrivilege 1572 msiexec.exe Token: SeUndockPrivilege 1572 msiexec.exe Token: SeSyncAgentPrivilege 1572 msiexec.exe Token: SeEnableDelegationPrivilege 1572 msiexec.exe Token: SeManageVolumePrivilege 1572 msiexec.exe Token: SeImpersonatePrivilege 1572 msiexec.exe Token: SeCreateGlobalPrivilege 1572 msiexec.exe Token: SeCreateTokenPrivilege 1572 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1572 msiexec.exe Token: SeLockMemoryPrivilege 1572 msiexec.exe Token: SeIncreaseQuotaPrivilege 1572 msiexec.exe Token: SeMachineAccountPrivilege 1572 msiexec.exe Token: SeTcbPrivilege 1572 msiexec.exe Token: SeSecurityPrivilege 1572 msiexec.exe Token: SeTakeOwnershipPrivilege 1572 msiexec.exe Token: SeLoadDriverPrivilege 1572 msiexec.exe Token: SeSystemProfilePrivilege 1572 msiexec.exe Token: SeSystemtimePrivilege 1572 msiexec.exe Token: SeProfSingleProcessPrivilege 1572 msiexec.exe Token: SeIncBasePriorityPrivilege 1572 msiexec.exe Token: SeCreatePagefilePrivilege 1572 msiexec.exe Token: SeCreatePermanentPrivilege 1572 msiexec.exe Token: SeBackupPrivilege 1572 msiexec.exe Token: SeRestorePrivilege 1572 msiexec.exe Token: SeShutdownPrivilege 1572 msiexec.exe Token: SeDebugPrivilege 1572 msiexec.exe Token: SeAuditPrivilege 1572 msiexec.exe Token: SeSystemEnvironmentPrivilege 1572 msiexec.exe Token: SeChangeNotifyPrivilege 1572 msiexec.exe Token: SeRemoteShutdownPrivilege 1572 msiexec.exe Token: SeUndockPrivilege 1572 msiexec.exe Token: SeSyncAgentPrivilege 1572 msiexec.exe Token: SeEnableDelegationPrivilege 1572 msiexec.exe Token: SeManageVolumePrivilege 1572 msiexec.exe Token: SeImpersonatePrivilege 1572 msiexec.exe Token: SeCreateGlobalPrivilege 1572 msiexec.exe Token: SeCreateTokenPrivilege 1572 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1572 msiexec.exe Token: SeLockMemoryPrivilege 1572 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1572 msiexec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3540 wrote to memory of 2132 3540 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 86 PID 3540 wrote to memory of 2132 3540 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 86 PID 3540 wrote to memory of 2132 3540 3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe 86 PID 2132 wrote to memory of 1572 2132 setup.exe 88 PID 2132 wrote to memory of 1572 2132 setup.exe 88 PID 2132 wrote to memory of 1572 2132 setup.exe 88 PID 2452 wrote to memory of 1928 2452 msiexec.exe 90 PID 2452 wrote to memory of 1928 2452 msiexec.exe 90 PID 2452 wrote to memory of 1928 2452 msiexec.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\SP-Fantasy_Installer.msi"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1572
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 502AA4201E50030261C7A8458163DAFC C2⤵
- Loads dropped DLL
PID:1928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD5fb4ed24de182178cac3cd3870a4ba5b6
SHA138b168fbe97b72a5de5eaef16535ea1aed964e1b
SHA2565070b4cdf7e2f95535f3340a3a0d9bce496478d0bd445b470dd67278a910c578
SHA51203ffa685a28333cc7d8eb4a0fdd8c5dce85ca1126bcdefebda83a91586b98ae559d56074b943a6df0ec011eaa58b6841026ffb8b42e08b74351b0118011d3c9a
-
Filesize
524KB
MD5149c5470d721e646952cea819487ff28
SHA15e6ee0a902135f80aea5adace0ea07c03cb82b4e
SHA256f8ca4710cf343b7afe9fd6003a8387374a709feb5929f7bc0ff54c5cea5148b7
SHA512a2cbf9418d207d8321050cbef4fde3900f9b857441f5e22f400a7eadc948c0ee421946e0208af5761ba34f6b2e58c52f7fe632a22cc487c261c577d4747b5cc4
-
Filesize
366KB
MD5b07a06446303767f1c8c26bc1ef83baf
SHA194aa8c6ddd5f6e96867e997f150c63ebf1fc0019
SHA256349df2da098acb773284ebf50503cab096c949cf4bb63d75e96d75bed7937564
SHA512be1592432745c66e7c5eef56dd452ca32dd9e461eb7522cd3e58a2dde8f4341c46aa2fa44be1a72151e259dd2fd7cb246091040e05486a5ee5f042077dd234a4